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Abstract 


In this paper, the notion of normalized noiispecifirity is introduced. The nonspeeifieity mea- 
sures tlie uncertainty of the estimated parameters that reflect impairment in a controlled system. 
Based on this notion, a quantity called a reeonhguration coverage is calculated. It represents 
the likelihood of success of a control reconfiguration action. This coverage links the overall sys- 
tem reliability to the achievable and required control, as well as diagnostic performance. The 
coverage, when calculated on-line, is used for managing the redundancy in the system. 

1. Introduction 


Reliability has always been a subjective issue in the analysis and design of fault-tolerant 
control systems. It is rarely associated with tut objective criterion that, guides the design. This 
predicament is due to the fac t that, standard reliability assessment techniques are not geared 
toward systems with the type of redundancy that is involves! in reconfigurable control. There- 
fore-, it. is difficult to establish a functional linkage between reliability and diagnostic' /control 
performance. This paper is intended to establish suc h a linkage. 

One way to ac hieve fault-tolerance in a controlled system is to reconfigure its control law 
when the system fails. The method of c ontrol reconfiguration becomes feasible and effective in a 
system if adequate redundancy exists for possible ac commodation of few critic al but. foreseeable 
failures. The reader is referred to a rec ent survey paper by Patton (1997) for an outline of the 
state of the art in the field of fault- tolerant control. Some causes of difficulty, common to all 
fault -tolerant control designs, are the vagueness in the definition of a failure in the context, of 
control performance, the uncertainties! in the system and in the: exogenous signal models, the 
limited processing/ memory c apabilities in carrying out diagnosis, and, above all, the lack of re- 
liable means of managing redundancy, especially analytic redundancy, for example, the ailerons 
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of an aircraft are primarily for controlling the roll movement when used differentially. But they 
have also a secondary function of aiding elevens for controlling the pitch movement, when used 
collectively. Therefore, by analytically reconfiguring the control actions of the surfaces, redun- 
dancy could be effectively provided without added hardware. Unlike t he hardware redundancy, 
analytical redundancy is inherent in the static and dynamic relations among the system variables, 
and is more difficult to manage. 


The 1 design of reconfigurable c ontrol systems is commonly perceived to involve designs of 
three separate subsystem modules (Jacobson and Nett. 1997): a control subsystem module, a 



A schematic diagram of a reroniigurable c ontrol system is shown in figure 1. The control module 
contains a Unite 1 number of pre-designc’d or online-designed c ontrol settings. Each c ontrol setting, 
when properly selec ted under a given impairment condition, is to provide the controlled system 
with a certain prescribed performance level. The diagnostic module processes the measurements 
to estimate t he c urrent impairment c ondition. The- reconfiguration module derides which cont rol 
setting should be switched on to accommodate the condition. Note that c ontrol reconfiguration 
need not take place whenever an impairment condition occurs. It is only needed when control 
performance falls below a prescribed threshold. In that case, a failure is said to have occurred. 

An attempt was made by Wu (1997) to link the reconfiguration coverage with a diagnostic 
resolution and a control performance threshold. The reconfiguration coverage measures the 
likelihood of success of a rec onfiguration ac tion that enters the assessment of the’ overall system 
reliability as one ol the dominating parameters, fne diagnostic resolution is introduced on uie 
basis of a relevant nonspeeifieity measure. 

A measure of nonspeeifieity, as one type of uncertainty, was first conceived ill terms of finite 
c risp sects by Hartley (1928); it is usually called a Hartley measure. A measure of nonspeeifieity 
of convex sets in tin i -dimensional Euc lidean space was proposed by Klir and Yuan (1995); they 
c all it a Hartley-like measure. 

Once of the main contributions in tins paper is a refinement of the’ nonspeeifieity measure, 
which can be applied to measure and compare uncertainties of various physical quantities of dif- 
ferent physical dimensions in a meaningful manner. This is achieved by a normalization process. 
As a result , nonspeeifieity is dimensionless, and has a range between zero and once Two important 
measure's of rec onfigurable control systems arc’ then derived from the- normalized nonspe'eifieity. 
One measures the performance of the diagnostic: module in terms of diagnostic resolution, and 
one measures t he performance of the reconfiguration module in terms of coverage. This coverage 
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allows us to clepii t in a precise manner how the overall system reliability is related to the per- 
formance of the control subsystem module and to the performance of the diagnostic subsystem 
module. Therefore, it is suitable as a criterion for the management of analytie redundancy. 

The paper is organized as follows. Section 2 discusses some background material, including 
t lie modeling of a plant in a way suitable for control reconfiguration, and the proper assessment 
of the control performance. Section 3 introduces the notion of normalized nonspeeifieity upon 
which the diagnostic resolution is defined. Section 4 introduces the reconfiguration performance 
measure in the form of a coverage. The coverage serves not only as a means for incorporating the 
likelihood of a succisshii/iaiied I ecuniigillal imi action into the reliability assessment, but also as 
a device for managing the analytic redundancy. In this regard it. is used as a ranking criterion 
for selecting the most reliable control law. An example is discussed in which the relationsliip 
between the level of reconfiguration coverage and the levels of diagnostic resolution and control 
performance threshold are graphed. The graphs offer a clear view of the alternatives by which 
the design objectives can be either accomplished or compromised. 

2. A fuzzy set description of control performance 

The purpose of this section is to eliminate the vagueness in the definition of a failure in the 
context, of cont rol performance, and to create a reference framework for redundancy management. 

Since the design of both the control module and the diagnostic module in a reconfigurable 
control system is based on the knowledge of the plant, it is important that a model suitable for the 
purpose of control reconfiguration be established. By suitable we mean that impairment of ci itieal 
nature enter the model in an appropriate manner, and available redundancy is fully reflected in 
the model. In thi> following discussion, it is assumed that all impairments under consideration 
enter the plant model in the form of appropriate parameters. Some enter as physical parameters 
whin the model is formed based on the laws of physics. Some enter as coefficients when the 
model of a prescribed structure is identified through some experimental means. Others enter 
simply as dimensionless sealing factors to indicate the degree of abnormality of some particular 
components. Suppose that at. a given operating point, the state-spare linear model 

: ) - A ) Bi , • (0) - f'i , (1) 

simulates the input -output characteristics of a plant, when ■ > and w an i - ft and , - 
dimensional state, input., and output vectors, respectively, atu / Zj am C are known matrices 
(which may be time dependent) of appropriate dimensions. As an example, the impairments 


representing the loss of sensor /actuator effectiveness can be characterized by sensor and actuator 
effectiveness factors. The factors enter the model in the form 
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where A, — dia f> . .... b, ], and A — dio b m+ , ... b m , j (Wu lDlMj). Lath b t ranges 

between 0, representing no loss of effectiveness, and 1, representing complete loss of the effec- 
tiveness in the th effector (sensor or actuator). In general, we define an impairment parameter 
space as the Euclidean space of all parameters that change their values as the result of some 
impairment. The tircscribed range of variation of such parameters form a set in the iinp-'i’>>«'nr 
parameter space. Lei l denote a vector in the impairment parameter space of duin tisio A and 
S2 denote the set over whicl 6 resides when impairments occur. Without loss of generality, il ran 
be regarded as a hyper-rectangle 

n - < i < Oi ma . , - ... I ]• 


Denote by fl* the normalized impairment parameter domain. It is obtained by sealing each axis 
of the impairment parameter spare by the respective Lebesgue measures of the projections of 
impairment domain f l onto that axis. 
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Obviously, O v is a unit hypercube which will be used to define the normalized nonspecificity. 
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hypeT rectangles in m + pth dimensional Euclidean spaces. Next, control performance will be 
defined over the universal set of the impairment domain. 

In the schematic diagram shown in figure 1, G(6) represents a model for the input to output 
mapping of the plant, including models of actuators and the sensors. The argument 6 is made 
explicit to indicate that the model is dependent on the impairment parameter vector. Vector w 
contains all external signals, including disturbances, sensor noises and reference signals. Con- 
trolled output z is an error vector, capturing the design specifications on the system; y is the 
vector of measured variables; u is the vector of control inputs. 

Let T u j (0) represent the closed-loop input to- output mapping from w to z. The control design 
problem under a given impairment condition can be formulated as follows. Select a control setting 
that maps y to u so that 

sup J|T H . 2 {0- v )||, (Bl < 7, (3) 
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where the .subscripts u am out indicate the norms used for measuring the sizes of the input and 
tiie output space- signals, respectively -) > is a positive real number representing a prescribed 
performance level, ant is the optimally achievable performance level. Depending on what the 
input and output spaces are, design procedures vary and the resulting controllers are different. 
Several software packages are available, such as some MATLAH Toolboxes (Balas, et al. 1991), 
whic h contain routines for synthesizing such controllers wlici 0 is a linear and tirne-invariant. 
input -output, mannir - - 1 both input and output signal spaces are Hilbert spaces of energy 

bounded signals L ( > )). No matter how well a model represents the plant to be controlled, 

uncertainties due to modeling errors and in exogenous signals arc always present. Sud: 
uncertainties can be formalized m plant modt C of figure i as weighting factors (Doyle, et al. 
1989) A good control design achieves the requiri-d pe rformance in the 1 fac e of tin's!- uncertainties. 
In this case, the controller is said to provide a robust performance. It should he pointed out. that 
the purpose of this paper is not to discuss fuzzy logic contra of som model fret plant (Mendel 
1995), nor to discuss any human-intervened fuzzy supervision (Frank, et al. 1993). The plain 
to he controlled is reasonably well modeled, and a complete automation is required for control, 
diagnosis, and reconfiguration. 

Suppose that various impairment scenarios require tin A 1 different controllers be designed, 
each guaranteeing that performance levc " be ; --'d under a specific set of impairment con- 
ditions (a subset of $1). Swnnose a sot of sue M controllers has been obtained. Let these 
controllers be denoted b' C C . ... C\ , and let us address the issue- of control performance 
measure. Define an alternative control performance measure 


' ' suPMU-n II^WIU W 

as a function of 0, where the superscript i indicates that controller C, has been used as the 
feedback mapping in the performance evaluation. Some software packages (Balas, et al. 1991) 
can be useful in calculating the point wise measure for each 0 £ 12. As impairment parameter 
vector 8 moves away from the nominal value at which the design of C, is carried out, the value 
of p,(8) generally decreases. Naturally, M fuzzy sets 

C, = {(«,/*.(*)),* =1, M) (5) 

on universal set 12 are formed. Each fuzzy set represents linguistically control performance 
achieved by using controller C,. Figure 2 illustrates such a situation where three controllers 
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have been designed to cover a one '1'rnvnsioiial impairment parameter domain. Without loss of 
generality, it is assumed that 9„ u , 0 „„ = 1 . Note that fault tolerance can be achieved only 

if sufficient redundant control authority exists in the system, which is the case in figure 2. This 
point will be further elaborated shortly. 

Let pi denote a prescribed control performance threshold to distinguish the normal from a 
failed operation for the controlled system, i.e., a failure is declared if 

P i < Hi ■ (ft) 

Whenever this becomes the ease, a control reconfiguration is necessary. The essence of control 
reconfiguration is the management of the control relevant redundancy. Tin- subsequent section 
will discuss the criteria for making control ritconfiguration decisions, and the risk associated with 
a particular decision. 

Referring to figure 2 again it can be seen that some constraints must, be imposed on the 
control module when the set C ),”] is constructed. 

First, in order to guarantee that the control performance is always kept above the threshold 
by at least one controller anywhere in the impairment, parameter domain, a sufficient overlap 
must exist among fuzzy sets (4) or (5). Ill mathematical terms, tills condition can be states 1 as 

mil p i > pi . X - ( ! . (7) 

Instead of using the maximum operator in (7), we may use a particular -conorm associated wit h 

nf f».77v U (Ktii- sow) Wimnan lUOKt This cn.wiilir.ii imntii-K that adii.iiate 

redundancy must exist in a system in order to make fault, tolerance possible. 

Set "" since complexity is detrimental to the reliability of a system, the number of con- 

troller; A ) in the control module ought to be kept to the minimum. This condition implies 
that each controller ought, to be designed to achieve the maximal robustness with respect, to 
the variation in the impairment parameter vector Suppose 0’ i 12 is the nominal impairment 
parameter value at. which the design of eontrollc C '« < arried out. Let 1 8 denote flic Lcbesgue 
measure of a ball eeaitcred al t with radio; r in th A dimensional impairment parameter space. 
A robust, design problem could be formulated as follows. 
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Although the past- two decades have marked some major development in systematic ap- 
proaches to robust designs (Green and Limchcer 1995), a focused e-ffort is still very much needed 
for the development, of an iterative search procedure that leads to a sel of interactive robust 
controllers with a well defined overall optimality. Our effort along this direction is under way, 
but will not be further discussed in this paper. On the other hand, for any existing design of 
the control module, regardless of the approach and the criterion by which a design is c arried 
out, a control performance evaluation in the form of a set of fuzzy sets can always he obtained. 
However, if the: result, of the control performance evaluation violates one or both constraints 
mentioned above, some modification must be made in the 'control module design and/or in the 
control performance spee ilie at.ions. 

Knowing that a successful control rexonfiguration action depends on the accurate knowledge: 
of impairment parameter ( , the: challenge facing us is to acejuire and to represent this knowledge 
in the presence of uncertainties. 

3. Normalized nouspecificity 

This section introduces the: notion of normalized nonspecificity which is then applied to 
provide a measure of the uncertainty in the impairment parameter estimate. The: section also 
discusses how existing deterministic and probabilistic based diagnostic schemes can be retrofitted 
into the possibilistic formalization under the uncertainty invariance princ iple: (Klir and Wierinan 
1998). 

The past two decades have witnessed much progress in the techniques of fault diagnosis (Frank 
19U0). Wit. tun tnc category of model- basest diagnostic techniques, there are Doth deterministic 
and probabilistic approaches, both crisp and fuzzy model-based approac hes (Dexter 1995), both 
analytical and fuzzy-logic: approaches ( Aubrun, et al. 1993). The- emphasis of these developments 
has bes’ii on the prompt and accurate identification of the system condition, in the: fare: of 
uncertainties. In a control reeonhgurable: system, the role of the diagnostic module is to provide 
information to the reconfiguration module on the current condition of the controlled system so 
that the existing redundancy can be: best utilized through e:ont.rol reconfiguration. However, 
due to limited processing/ memory eapabihty and the presence of model /signal uncertainties, 
conclusions on the system conditions are always based on insufficient information. One is tempted 
to directly utilize the available diagnosis techniques and become: preoccupied with the concerns 
regarding such issues as false alarm, misses 1 detection, and false: identification. As a consequence, 
conclusions are' drawn prematurely at the output of the diagnostic module, which do not take 
into ceuisideration the: control module' involved. 
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A remedy is to entrust the* dexiskm to the reeonfiguration module that can combine the 
characteristics of the centred and the: eliagnost.il- modules. What is needed from the diagnostic 
subsystem, in addition to the: estimate of the: impairment parameter vertor. is a description of 
the' uncertainty associated with each estimate in terms of a possibility fune rion. The rationale 
for the use of possibility functions is that regarelless of the diagnostic scheme used, impairment 
parameter estimates can always be described by fuzzy numbers (more discussion at the end of this 
section) and these can be given a natural possibilistic interpretation (Klir 1999). In addition, 
fuzzy sets have been utilized in describing the control performance. The interaction of these 

Mt’i-i <--rvT wiv t riT>t- ( if fijT;Try wdi; 1 \ it-;-*] t j l!" M T 

decisions. Effort toward the possibilistic diagnosis, though limited at the time, already exists 
(Kang, et al. 1991). It was observed that a more prudent treatment, of uncertainty can result 
in an improves 1 reliability, and niaximuiu/iiunimuin operations m possibility theory can increase: 
the computational eHieieney. 

Suppose the identified impairment parameter has been ropnssented by a normal fuzzy set 

i - i )) i t ! ], 

as examplified by a triangular-shape membership function in figure 3. The quantity / R in the 
figure will b<* discussed when Tosnlutio R is formallv di'fined later in the section. (Sex 1 equation 
(12).) Set j = (S2 i 2 1 } for some value e € f< ll is called thi e -cut o /. The fuzzy 

set bears a nrisxihilistie interpretation (Klir 1999) Si 1 1 ‘ P is normal, the* associated possibility 
distribution. i , , is given in this ease by the formula 


for all i e Q. Give'ii now an arbitrary fuzzy se . - 0, i i )) it!], the possibility measure 

c / based on possibility distribution if is given by the formula 

Pm, / ) = sn mi i i , _ i ] . (8) 


The notion of normalized nonspee ifie it.y is now introduced for a fuzzy set defined on a - 
dimensional Euclidean spae:e* (impairment parameter space). Nonspecificity is not. the: only known 
uncertainty measure Within the domain of possibility theory, however, iionspecifinty has bex'ii 
shown to dominate the total measure of urn crtaiiity (Klir and Wierman 1998). 
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The? liart ley-like measure of a convex se A ill th A dimensional Euclidean .space has been 
shown to take' the; form 

II i .■) min (6 ■ try, ,F (1 ■+ .4 ( ) -f / | l~l A t } (9) 

e- /- 

under some standard uncertainty n»i>»«nre axioms (Klir and Yuan 1995), where T is the se;t of 
all unitary transformations on th. A -dimensional Euclidean space, and .4 ( | is the Lebtsgue 
measure of the projection of se .4 on to the th axis of the unitary transformed coordinate 
syste'in under transformation . In principle, the logarithm in (9) can be of any base. Rase 2 is 
chosen foi the purpose of simplifying a normalization process to he: introduce*! shortly. When 
the: e xperimental framework is confined to the normalize*! impairment domain J2 A as defined in 
(2), the original Euclidean space is effectively re-scaled along eae:h axis by the Lebesgue measure 
of the projec tion of hypere ube U. Using the Hartley-like measure given itt (9), the nonspecificit.y 
( l ) of normal fuzzy se: F is calc ulated by the formula 

l I ) — f Hi l da, ( 10 ) 

as explained in Klir and Wierman (1998). In the ne;xt theore'in, the normalized impairment 
domain 52,y is uses I 

Theorem 1 < f. I <1 l f ) = 0 if anel only i F is a singleton. 

Proof H‘ \ is c< •* — t.esi t.o satisfv the axiomatic: requirements (Klir and Wieni'“ti 11 *98) 
that i ' Hi . s, .vl.;m lit . \ - ci a a. .. a, it £ .,,,»v.rc«t ^ \ « R /J 

tha 111 : < III l ) wheneve / C t when A, l C A. Therefor III 1 > 0, where 

Hi I ) — 0 iff F is a siiivletnn in {If, . In combination with the definition of I ) given in 

(10), this implies tha l l >0, and tha l I ) — 0 iff F is a singleton for any givet t . This 

implies, in turn, tha F is a s'mrieton. On the other hand, e C By the monotonieity of the 
Ilartley-like measure Hi I • 111 (iir ). Consequently l 1 < l fS 1 - ' Ru III (12/ ) — 1 by 

the definition given in (9) because 12\ is a hypercube. Therefore f l <1. 

□ 

When S2 V is one-dimensional, the calculation of the normalized nonspeciftrity is much simpler. 
In this case, 

f 1 ) — ^ log (1 + I da, 

o 

where: t ( 12/ , and / j is the Lebesgue measure of I . 
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We define now a diagnostic resolutioi I l ) for a spee ifie diagnostic outcome: described by 
fuzzy se i t 12, s by the 1 formula 

1 = T' (12) 

Theorem 2. In a one dimensional impairment parameter situation, diagnostic resolution R(F) 
satisfies the inequalities 

1 < R(F) < oo. (13) 

In addition, R(F) is equal to the inverse of the core of a crisp set that has the same nonspecificity 
as fuzzy set F. (See figure 3). 

Proof. Since 0 < U(F) < 1 by Theorem l, the definition of R by (12) yields immediately (13) 
Suppose there is a crisp set C C 12 v such that |C„| = l/R(F) for all a 6 [0, l]. Then its 
nonspecificity is given by the formula 




On the other hand, U(C) and f/(F) are the same by assumption. With U(C) replaced by U(F), 
R(F) of the form (12) is obtained by solving the above equation. 


The geometric interpretation of R(F) as it relates to the nonspecificity of F is depicted in 
the figure 3 when — 0,,,,., — 1 is satisfied- Before normalization, on the other hand, the 
nonspecificity appears as 

U(F) — f log 2 (l + \“Fm\)da. (14) 

J ii 

In this case, the Lebesgue mesure of the nonspecificity-equivalent crisp set C relates to R(F) 


through the equation 


It is important to point out that normalization is absolutely necessary when nonspecificity is 
to be used in a real world problem. Normalization had not been considered for the definition 


of nonspocificity prior to this work. By using the one-dimensional case as an example, let us 
analyze the consequence of employing the non- normalized nonspecificity. This is the case when 
|"F| C fl in (14) is not divided by the Lebesgue measure of impairment domain |fi|. It is noted 
that the numerical value of |“F| can be made entirely arbitrary, because the unit used for the 
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impairment parameter can bn arbitrarily selected. As a result, the numerical value of nonspeci- 
tii it; l J ) is arbitrary. When the unit of impairment parameter 0 is fixer!, the non-normalized 
nonspeoificity can be useful but only in a relative sense. In addition, adding a dimensionless 
quantity 1 with a quantity with a definite physical dimension / ) is a fundamentally incor- 
rect mathematical operation. When the impairment, parameter space is of multiple dimensional, 
without normalization, one is indeed comparing apples with oranges. 

Since most existing diagnostic schemes are either deterministic or probabilistic, the retrofit 
issue, i.e., the transformation of the diagnostic outcome from its original representation to the 

T'Mvsibiiisti' ri. if\n to 

An estimate from a deterministic diagnostic scheme is represented by a point p m the im- 
pairment parameter space with an error bound i . This error bound is typically the radius of a 
hypersphere surrounding the point. Le l p, ) denote the set enclosed by the hypersphere. This 
set can be defined by the characteristic 



Hence, it. may be viewed as a special fuzzy se I . The corresponding possibility measure of this 
fuzzy set is readily obtained by (8). 

On the other hand, an estimate from a probabilistic diagnostic scheme is represented by 
a probability distribution function. The transformation from the probability to a possibility 
formalizatio!! is however isiorti involvtHi. is rcifurrixl to rocont pay> # -TS by F\iir (lt)D8) hii*1 

I larmaiiec ami Klit {191)7) for more information. The following example shows how an uncertain- 
invariant probability-to-possibihfy transformation is marie for an impairment parameter estimate 
called eleven effectiveness factor that, enters an aircraft, model. Please see Balas et al (1991) and 
Wn and Chen (199b) for a description of the 4th order linearized state space model and its 
modification. 

The eleven effectiveness is estimated using an adaptive Kalman estimator (Wu, ct. al. 1998), 
and at each given time is described by a computed probability density function. This density 
function is then integrated to a discrete probability distribution function, a snap shot of which 
at = 4scc is shown in the upper plot of figure 4. Although treatments for both continuous and 
discrete universal sets are available, our continuous problem is to be treated in the discrete domain 
for computational efficiency. The lower plot in figure 4 shows the possibility distribution at 
— Isec The following result is used for carrying out the probability to possibility transformation 
for t lie example. 
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Theorem 3 (Ilarmanec nod Kllr 1997) Le // denote the number of distinct values of in the 

k-t.upl < p , p p, representing a probability distribution arrMiiued in descending order 

Then there cyU ff integers, t ,...,?/ £ . ... ], such that p — ■ • - n, > p u , — - p, > 

■ ■ > p tll 1+ — - p,, ■ All possibility distribution <r ■■■,»■ > consistent with the given 

probability distribution and containing the same amount, of uncertainty are all those possibility 
distributions that, satisfy 

r u Pi 

i-i, i 

for all = I ■ ■ ■ I 1 (with / — (11 and 


r, > t pi 


for i + 1 

The transformation expressed by Theorem 3 remains the same for any multidimensional case, 
provided that the probabilities and the possibilities involved are ordered as specified. When there 
are equal probabilities in till' distribut ion, an additional criterion is needed to uniquely determine 
the corresponding possibility measure. The criterion of maximal nonspecificity (Ilannanoc and 
Klir 1997) is adopted, for one wishes to be constrained only as much as necessary in making 
decisions based on the possibility distribution. 

Figure 5 shows the plots of the nonspocificity and the corresponding diagnostic resolution as 


the method used for diagnosis. The volatile behavior in these plots is caused by a sudden drop 
of the eleven control effectiveness at — fisec. The impairment parameter estimator recognizes 
the large uncertainty in the estimate during the transient, process. 

4. Optimal redundancy management 

The focus of our discussion in this section is shifted from the diagnostic module to the 
reconfiguration module where the decision is made on whether and how a control reconfigurat ion 
should take place in order to accommodate a failure. In this regard, the reconfiguration module 
carries out the task of redundancy management. Optimal redundancy management amounts to 
selecting in a prescribed class of controllers one and only one that offers the highest reliability. 

It is possible to estimate the likelihood of success arid the likelihood of unsuccess in a recon- 
figuration action, which arc respectively named a coverage, « , and a complementary coverage, 
i , in the following discussion. More specifically, the coverage indicates the likelihood of fuzzy 
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set (u Hit. roller C being selected while the actual impairment parameter 1i*-s within the interval 
over wiiicli the prescribed control performance level is achieved ft . > fi- ). The complemen- 

tary coverage indicates the likelihood of fuzzy se C being selected while the actual impairment 


parameter lies outside of the interval. 

Suppose the reconfiguration module h;is selects C, by using some ranking method. The 
< -overall e ran be defined by using the ratio of two weighted nonlinear intervals. R<x:all that fuzzy 
se F represent the outcome nf the impairment r “* r »meter estimation. Expres F as the union of 
two set. F t F , when F - 0, i )) pi z fi ] , ant F - 0, . < )) p 1 < p . Then 


and, similarly, 


where HL() denotes the Hartley-like measure defined by (9), and U (.) denotes the nonspecificity 
defined by (10). Fuzzy set F is subdivided according to whether a particular possible impairment 
condition is accommodated by controller C,. The following one-dimensional expressions for the 
coverage and the complementary coverage may reveal more explicitly their dependence on the 
partitioned fuzzy sets. 


1 )) ft ' 'ft ) 

, an< F 

1 III F da 

U(F“) 

Ju 1 HH"F)da 

U[F) ’ 

fo HLC'F ! )da 

U(F‘) 

Jo 1 HL("F)da 

U(F) ’ 


fn log>( 1 + |‘F|)da ’ 


and 

_ f 0 ‘ log, (l + \"F‘\)da {lg) 

Jj l*A 1 + l'*1 )da 

These expressions show that the coverage and the complementary coverage depend on the di 
agnostic performance, characterized by nonspecificity U(F) which uniquely determines the res- 
olution, as well as the control performance, characterized by threshold p 7 -, which uniquely de- 
termines subdivisions F" and F 1 . Therefore it links the performance of individual modules to 


overall system reliability. 

Theorem 4. 0 < c < 1 and 0 < c < 1. In addition, 1 — c < c whenever the subadditivity of 
the Hartley like measure with respect to set union (19) holds for "F , ‘ and "F‘. The subadditivity 
always holds when N — 1. 

Proof. By the monotonicity of the Hartley like measure (Klir and Wierman 1998), 0 < HL(‘'F '‘ ) < 
FFL("F). Integrating over a € [0, 1] yields 0 < l f(F'‘) < U(F). Therefore, 0 < c < 1 from (15). 


13 


Similarly, < < 1, or < - < 1, by using (16). Assume now that the subadditivity of the 

Ilartlev-like measure holds for al t , i.e., 

Hi F u F ; Ih F ) Hi F , r>. (19) 

It follows from (15) and (16) that 

I Ih F ) Ih F da ^ 

+ “ So HL("F)da “ 

Although the subadditivity may not hold in general, due to the minimum operator in (9), it 
certainly holds when N — 1 because in this case 

HL("F U ) + HLC'F 1 ) = log, (l + m)(l + |‘F'|) > log 2 ( 1 + |'F"| + |‘F|) > log-,{ 1 + | "F" U “F * |). 


Therefore, L — c < c. 


□ 


It is seen that coverage 1 — c is bounded above by coverage c. 1 — c and c can be regarded as 
lower and upper bounds for an interval-valued coverage. Their difference reflects the amount of 
information deficiency in the diagnostic outcome. 

Suppose there are M possible control settings, each of which is designed to accommodate a 
particular set of system conditions. In determining which control setting is most suitable, the 


outcome F, , ■ ■ - , are calculated, and 


c k = max {c,}, (20) 

*6{i ■■■ 

then control setting C k is selected. This is the essence of optimal redundancy management. As 
a result, the highest coverage, and, hence, also the highest reliability at the overall system level 
are achieved. Apparently, a real time computation of coverage values for every candidate control 
setting is required. 

The next example will shed some light on how the computation of the coverage is carried out. 
It also shows some quantitative relations of the coverage to the control performance threshold, 
as well as to the diagnostic resolution. For ease of visualization, a one-dimensional impairment 
space is considered, as shown in figure 6. Suppose controller C, is under consideration to see 
what level of coverage it can provide if it is chosen by the reconfiguration module. Suppose the 
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hk'IuIm - 1 - ‘‘unction that represents tht: performance of this controller has the shape of a triangle. 
Its pea M, represents the level of nominal performance achieved at some value of impairment 
parameter, and t , the Lebesgoe measure of its support., gives an indication on performance 
robustness provided by eontrolle C . The estimated impairment, parameter is represented by the 
normal fuzzy se b . also with a triangular membership function, c - no the Lebesgue measure 
of the support, o f , is to he varied between 0 and t ( via parameter < 6 [< 1]. Furthermore, 
suppose that sufficient analytical redundancy exists so that figure 6 describes the extreme ease 
scenario 


under which control scttiri) C would still be selected. This means that, a different controller 
would have been chosen il nr mm i < ( 2. Ill addition, suppose the diagnostic module 

provides a sufficiently high resolution that 


/( > Al /(. , 


wliei M > 1 is assumed wit hout loss of generality. Note that, most of the assumptions above 
are for simplifying purposes, and can be relaxed. 

For the scenario in figure 6, formulae for computing coverage < and complementary e intro- 
duced in the previous section take the following forms 


( 1, 


mn 


^[1 -b — «<j( 1 + qj/'Jl/»[l b Ftp ( 1 - a)/ 2j — ( \ -F*q — I — '2fc) -» 

{ l+to«)fTi{l -<ua) «o« 

(1 -H<jri)/n( I + »o“)~ *o« * 


C = UJJill 
rm 

0, 


b < t n /2 — C/.-/2 
«n/2 - <r /2 < 6 < e () /2 
e„/2 < b < £()/2 + £f/2 
b > £o/2 T £f/2 


2jH* <up a)/2|l..|l+6 t0 (l a)/2| a>+. u (l o) 

(1 4 fua)/n( 1-Ff 0 n 


b ^ to/ 2 — t/. / 2 
«<i/2 — £/./ 2 < b < £(i/2 

HlLti. wti u)/2ie,[i+t.-.o(i-..)/2]-(i+2<.-.i,))..(i+2A ^ ( J2 < b < £„/ 2 + e,,/2 

( 1 I 1 • t||£l j <„« ’ W — / / 

1, 6 > to/2 4- 1/, /2. 


Note that the subdivision of F into F' 1 and F ! occurs at the point where C, and p; intersect. 
This point is marked by b = , measured from 8 — 0. Since 6 is proportional to the control 


performance threshoh p-, , it can also be used as an indication o py . < = e /to is a fraction 
indicating the support of fuzzy se F relative to its worst case support . 

The nonspeeificity and the resolution for this example are 

(1 + * • h (1 -+ c i - f » 

/n(2)£i,a ’ 

and 

R ^ = (e„a+l)(*-“ »/(•«“) -e’ 

by equations (11) and (12). where e. = 2.7183. Plots of U(F) and R versus £r/ £,. are shown in 
figure 7. It can easily be derived that U(F) a: c/. when t ( <C 1. 

c and c are now computed as fimetions of control performance threshold p;, with diagnostic 
resolution fiasa parameter. 

The fourth plot in figure 8 shows the interval coverage between boundaries c and 1 — c as 
a function b (p/) with resolution R = 4.13 when a — £/. /q, = 1, calculated using the above 
given formulae. It is assumed that the most possible value for 8 is at 0 = e L ,/2 = 0.25 when 
£„ = 0.5, and the peak location of the membership function for F remains as a changes. The 
change in coverage corresponding to a gradual decrease in the value of a are shown in the third 
(a = 0.65, R = 6.30), the second (a = 0.35, R = 1158), and the first (a = 0.05, R = 80.17) 
plots, respectively. 

By observing the graphs obtained, the following conclusions can be drawn. The gap between 
liie two bounds on uuvtatigt: mci wilu bt^-i It (diaguualni i evolution), imd with, iiicr^w 
ing fir (control performance) at the high coverage end. The value of coverage itself increases 
with increasing R at high coverage end, and with decreasing p/ . All the conclusions are within 
our expectations. Their significance lies in that a guideline for design iteration is provided in a 
quantitative manner for meeting a prescribed reliability requirement. 

Suppose that coverage c» = 0.99 is required for achieving a certain prescribed reliability. 
With a relatively high resolution such as shown in the first plot of figure 8 (R = 80), the control 
performance threshold can be set at b — 0.22 or lower. Suppose the diagnostic module designer 
can afford a resolution only at R = 4.13 as shown in the last plot of figure 8. In this case, one must 
be content with a much lowered control performance at around b = 0.022 (10% of the previous 
case). If this performance level is not acceptable, one can attempt the following: increasing the 
processing/memory capability of the diagnostic module, or increasing the performance level of 
the control module at around 8 = 0.5 without sacrificing elsewhere. The first attempt is aimed 
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at enhancing resolutioi / within the given decision time, sav fron 1 — 4 t* I = 80, and the 
second attempt is aimed at raising the allowable level fot ;cj , say from = I 02 to — ( 2, so 
that the retpiired coverage level c t can be achieved. 

5. Conclusions 

A method of redundancy management, in control reconfigurable systems is presented. Re- 
dundancy management in such systems amounts to making control reconfiguration decisions. It 
is assumed that adverse conditions that may cause the failure of the systems are parameterized 
in the system models in terms of impairment parameters. Our method of decision making is 
based on the interaction of two classes of fuzzy sets debited on the bounded universal set. in an 
impairment parameter space. One class of fuzzy sets represents the set of measures of control 
performance for all control settings. The other class represents the outcome of the impairment, 
parameter estimation. By introducing the notion of normalized nonspecificity measure for the 
latter class, we are able to meaningfully quantify the performance of the reconfigurable control 
systems using coverage, which is defined as the likelihood of successful control law reconfigura- 
tion On the one hand, the coverage affects the reliability of t he overall systems directly. On 
the other hand, our definition of the coverage is functionally related to the control performance, 
as well as to the diagnostic performance. It sets the criterion and provides a means for the 
integrates! design of control reconfigurable fault- tolerant systems. 

A major theoretic issue that, still remains unresolved is the subadditivity of the Hartley- 
like measure of two bounded sets on an multi-dimensional Euclidean spare without imposing the 
convexity condition on the sets. This has restricted the application of our solution to problems of 
sequential single-fault, scenarios, instead of sequential simultaneous- faults scenarios. Overcoming 
this nsitrietion may require that a new type of Hartley-like measure be defined. 
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Figure 1 A reconfigurable control system 





Figure 2 Control performance measures as fuzzy sets 



Figure 3 Impairment parameter estimate as fuzzy set 
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